sendity / laravel-server
Self-hosted Sendity server implementation for Laravel
Requires
- php: >=8.2
- ext-mbstring: *
- ext-openssl: *
- illuminate/broadcasting: ^12.0|^13.0
- illuminate/events: ^12.0|^13.0
- illuminate/queue: ^12.0|^13.0
- illuminate/support: ^12.0|^13.0
- nyholm/psr7: ^1.8
- pusher/pusher-php-server: ^7.2
- sendity/core: ^0.3@beta
- sendity/email-channel: ^0.3@beta
- sendity/phone-channel: ^0.3@beta
- symfony/psr-http-message-bridge: ^7.0
Requires (Dev)
- orchestra/testbench: ^10.0|^11.0
- phpunit/phpunit: ^11.5
This package is auto-updated.
Last update: 2026-07-14 07:07:18 UTC
README
Reusable Laravel package for running the Sendity API in a Laravel runtime.
composer require sendity/laravel-server
Boundary
This is a PHP/Laravel package. It is not the public Sendity website and it does not own Docker-era hosted-app wiring.
It owns:
- AuthRequest creation and status endpoints.
- inbound channel webhook endpoints:
- email receives raw
message/rfc822bodies and delegates DKIM/MIME/code extraction tosendity/email-channel; - non-email channels continue to use their package-specific JSON adapters.
- email receives raw
- webhook signature and replay validation.
- JWT issuing and JWKS publication.
- realtime/broadcasting auth metadata for AuthRequest status updates.
It intentionally does not own:
- the
<x-sendity />Blade wrapper for customer applications; - browser UI defaults such as
SENDITY_CLIENT_SCRIPT_URLorSENDITY_VERIFY_URLS; - the hosted marketing/customer website;
- Docker/Traefik deployment manifests.
Compatibility
- PHP:
>=8.2 - Laravel components:
^12.0|^13.0 - Testbench:
^10.0|^11.0
Important environment variables
SENDITY_ROUTE_PREFIX=sendity
SENDITY_JWT_ALGORITHM=RS256
SENDITY_JWT_PRIVATE_KEY_BASE64=
SENDITY_JWT_PUBLIC_KEY_BASE64=
SENDITY_JWT_ISSUER=https://sendity.io
SENDITY_DEFAULT_TOKEN_TTL=600
SENDITY_AUTH_REQUEST_TTL=300
SENDITY_WEBHOOK_SECRET=
SENDITY_EMAIL_MAX_MESSAGE_BYTES=262144
SENDITY_EMAIL_MAX_EXTRACTED_CODES=5
SENDITY_PHONE_RECIPIENT=+4915888620026
SENDITY_RCS_SERVICE_ID=sendity_agent@rbm.goog
SENDITY_APP_PHONE_SMS_FALLBACK_ALLOWED=false
SENDITY_BROADCASTING_ENABLED=true
TTL values are application configuration. They are not accepted as client request payload fields.
AuthRequest creation returns one server-owned verification_action. The browser may provide bounded localized email_body and phone_text templates; the server substitutes the formatted code and the validated origin hostname, selects the configured recipient, and builds the complete action URL. Email uses the code as subject and a localized return instruction as body. Phone uses the code-and-return instruction as body. For a Twilio/Google RCS setup, recipient remains the SMS fallback number, optional rcs_recipient contains the configured RBM agent ID, and url contains the complete sms: deep link with service_id and body. Browser clients display only the primary recipient and use the URL unchanged.
Polling can report pending, received, or verified. Verification rejections such as failed DKIM checks or a disallowed SMS fallback are exposed through latest_verification_rejection and broadcast as .verification.rejected.
Hosted sendity.io exposes the public Sendity API through the website Laravel process under /api/*. A direct self-hosted runtime can use the package default /sendity/* prefix or configure another prefix.